What You Need to Know

For years, those “I hacked your webcam” emails relied on fear, not facts. Attackers grabbed an old password from a breach dump, waved it in your face, and demanded crypto. Most had no access to your device, your camera, or your accounts. That era is ending. A new wave of information-stealing malware now automates sextortion and account takeover at the same time. These tools monitor for adult or explicit content in the browser.

When a trigger appears, they capture a synchronized webcam image and desktop screenshot to manufacture “proof.” At the same time, they quietly harvest passwords, browser cookies, and session tokens for Microsoft 365, Google Workspace, banking portals, and chat apps. The result is a credible shakedown paired with the means to walk into your cloud environment without a password.

For a Canadian SMB, the business risk is no longer just embarrassment. An ashamed employee may approve a malicious MFA (multi-factor authentication) prompt, share a one-time code, or unlock a device. That is a direct path to business email compromise (BEC), fraudulent payments, data theft, and operational downtime. There are privacy implications as well. In Québec, Law 25 requires organizations to assess risk, notify affected individuals and the CAI when warranted, and maintain an incident register—even if the incident started on a personal device. Boards expect that you can explain exposure, show the controls, and demonstrate continuous monitoring.

The good news: you can dramatically reduce leverage in 90 minutes with targeted moves. Default-deny webcam access, ship physical privacy shutters, enable number-matching MFA and begin a passkey (FIDO2) rollout for high-risk users, and tune your EDR/XDR to alert on camera and screen-capture API calls from unapproved processes. Block known-compromised passwords, move users to an enterprise password manager, and shorten cloud session lifetimes. Cap it with a short, shame-free advisory to staff that explains the tactic and exactly how to report.

Your outcome: lower odds of extortion sticking, fewer successful account takeovers, and faster, cleaner incident handling if something slips through. You protect people and the business in one motion—and you do it with controls you likely already own. Fusion Cyber can help you implement the quick wins now and build a layered, 24/7 defence that removes attacker leverage long-term.

How the bluff used to work

Classic sextortion emails followed a predictable script. Criminals scraped breach dumps for any credential tied to your email address, then pasted an old or reused password into the subject line or the opening sentence. Seeing a familiar string shocked recipients into believing the attacker truly had access to their device or webcam. The email claimed a compromise, threatened to release an embarrassing video, and demanded cryptocurrency within a short window. The goal was panic, not proof.

Technically, most of these campaigns had nothing—no webcam control, no desktop view, no foothold in your account. They simply combined publicly available breach data with social engineering. The scam exploited three human factors. First, password reuse: many people repeat old passwords across services, so seeing one feels uncomfortably real. Second, shock and shame: the subject is private, so victims often delay telling IT or security. That delay gives criminals time to press for payment. Third, urgency: tight deadlines and threats of widespread exposure push people to act without seeking help.

For businesses, the damage was indirect but real. Employees lost time, leaders fielded worried calls, and some paid ransoms from personal wallets. A few attackers layered in BEC-style tactics by “replying” from spoofed addresses or using lookalike domains to pressure finance teams. Still, these were largely hollow threats. Blocking the sender, reminding staff not to pay, and rotating passwords usually ended the episode.

Why revisit the old playbook? Because it set the stage for today’s escalation. Attackers learned that shame is powerful leverage and that employees hesitate to report when they fear personal embarrassment. They also learned that mentioning a real password increases perceived credibility, even if it’s ancient. The step change now is automation plus evidence. Instead of bluffs, toolkits can create plausibility on demand and pair it with token theft that enables actual account access. That fundamentally transforms the risk from a nuisance into a business-level incident involving identity, finance, legal, and privacy teams.

What changed—and why this matters now

Modern information-stealers have evolved from simple keyloggers into multi-function automation kits. Once installed—often via routine lures like fake invoices, shipping notices, missed delivery cards, or “legal” threats—they monitor browser activity for sensitive patterns. When adult or explicit content is detected, the malware triggers a synchronized webcam photo and desktop screenshot. This gives attackers something that looks like proof, even if the scene is ambiguous or fabricated. Simultaneously, the same toolset quietly harvests passwords, cookies, and session tokens stored by the browser. Tokens often bypass passwords and sometimes MFA, granting direct access to cloud apps.

Exfiltration is stealthy and fast. Many families ship stolen data over common channels—Telegram, Discord, or SMTP—that blend into normal outbound traffic. They may also compress data into tiny archives to slip past size-based filters. Some kits add extra force multipliers: automatically attempting OAuth consent to rogue apps, creating scheduled tasks for persistence, or disabling built-in security settings. In short, one execution chain manufactures social pressure while enabling technical compromise.

Why does this matter for SMBs? First, the coercion risk changes employee behaviour. A panicked staffer may accept an MFA push just to silence notifications, approve a consent prompt they don’t understand, or unlock a laptop for “support.” Second, identity is the new perimeter. If tokens and cookies are stolen, attackers can walk into Microsoft 365, Google Workspace, payroll, or banking—often without tripping legacy password policies. Third, compliance exposure is real. In Québec, Law 25 obligations (risk assessment, notifications, incident register) may apply even when the initial trigger feels “personal.” Regulators care about the protection of personal information, not the origin story.

Finally, this is economical for attackers. The same code works across thousands of victims with minimal adaptation. It scales the collection of both leverage (the “evidence”) and profit (fraud, resale of access, or ransomware staging). For leaders, the takeaway is simple: treat automated sextortion as a business risk with identity, financial, and reputational consequences—not a private embarrassment to be ignored or handled ad hoc.

What this means for Canadian SMBs

This threat collapses the boundary between the personal and the professional. An employee targeted at home may make decisions that expose the company at work. For Canadian SMBs, three implications stand out. People are the pressure point. Attackers count on shame to delay reporting and on fear to drive poor choices—approving an MFA prompt, sharing a one-time code, or installing a “fix.” Your defensive posture must assume that a good person may make a rushed choice under stress.

Identity is the new front door. Browser-stored tokens and cookies can render your password policies moot. If a thief replays a valid session token, they can access mailboxes, files, and SaaS apps without ever typing a password. That means your controls must extend beyond password complexity. You need phishing-resistant MFA (passkeys/FIDO2) for admins and high-risk users, Conditional Access that checks device health and location, short session lifetimes, and rapid session revocation when anomalies appear.

Privacy and regulatory duty are in play, particularly in Québec under Law 25. If personal information under your control faces a risk of serious injury, you may need to notify the CAI and affected individuals and document the incident in a register. The fact that the extortion attempt began with explicit content or on a non-corporate device does not remove that duty. You must be ready to assess quickly: What was accessed? Which systems? Whose data? What’s the likelihood of harm?

Operationally, expect BEC and payment fraud attempts to spike after token theft. Attackers may monitor inboxes, alter invoices, or impersonate executives to push urgent wires. Expect supply-chain implications if a compromised account targets your customers or partners. And expect reputation pressure if attackers threaten to disclose material or claim they already have. Your response must be coordinated across security, finance, legal, HR, and communications.

The practical path is twofold: implement targeted technical controls that remove easy mistakes (default-deny cameras, passkeys, session hygiene, EDR alerts) and cultural controls that remove shame (discreet reporting, amnesty language, visible leadership support). That combination protects your people and your brand while satisfying board-level expectations and regulatory requirements.

Do this today (90 minutes, practical and high-impact)

You can meaningfully reduce risk this morning with focused steps that use tools you likely already own. Start with authentication. Turn on number-matching MFA everywhere it’s supported to eliminate blind “approve” taps. Kick off a passkey/FIDO2 rollout for admins, finance, HR, and executives—anyone whose compromise would be high-impact. Set a short deadline for these groups (days, not weeks) and ship hardware security keys if needed.

Next, lock down cameras. In your MDM/endpoint management, set webcams to disabled by default and explicitly allow only approved apps (Teams, Zoom, etc.). Issue privacy shutters for all corporate laptops—low cost, high value—and include the policy in your device baseline. Pair this with browser hardening for high-risk roles: disable password saving, require enterprise password manager use, and enforce separation between work and personal profiles.

Now tune detection and alerting. In your EDR/XDR, create rules for camera access and screen-capture API calls originating from unapproved processes. Add alerts for unusual cookie or credential dumping, outbound connections to Telegram/Discord/SMTP from endpoints that don’t normally use those services, and sudden OAuth consent to unknown apps. Route these alerts to an on-call human with authority to disable an account and revoke sessions immediately.

Remove a classic intimidation lever by blocking known-compromised passwords at the identity provider. Force rotation where needed and migrate users off browser-saved passwords to an enterprise manager with strong policy. Shorten session lifetimes for email and file access; require reauthentication after meaningful risk signals.

Finally, warn your team—in 150 words. Explain the tactic, the signs to watch for, and the exact reporting path (security@ alias, hotline, or private chat). Use clear amnesty language: no blame for reporting quickly. Provide a one-click “Report a Security Issue” button if your platform supports it. The aim is to replace panic with a known playbook: stop, report, preserve; do not reply or negotiate.

These actions don’t solve everything, but they collapse attacker leverage. Even if a lure lands, they’ll struggle to access cameras, ride your sessions, or slip past detection without ringing a bell. That buys your team time—and time is what turns incidents into non-events.

Prepare the human response

Technology reduces surface area, but people decide outcomes. Attackers rely on shame and speed; your job is to remove both as weapons. Start with education that respects privacy. Don’t lecture about personal behaviour. Instead, explain the tactic: malware may fabricate “evidence” and pressure victims into approving prompts or sharing codes. Teach one simple rule: stop, report, preserve; do not reply or negotiate. “Preserve” means don’t delete emails, clear browser data, or unplug devices; let the SOC capture evidence.

Create discreet reporting channels. A security@ mailbox is fine, but add a private chat handle or hotline that routes to on-call responders. Publish response hours (24/7 if covered by your MSSP) and clarify that reports are confidential and judgment-free. Put amnesty language in writing: employees will not be disciplined for promptly reporting an extortion attempt, even if it involves personal content or non-work devices. The faster the report, the smaller the impact.

Run a tabletop exercise that simulates the real mess: a staffer receives a sextortion email with plausible screenshots; finance sees unusual login alerts; an OAuth consent pops for an unfamiliar app; legal asks about notification thresholds; a journalist emails for comment. Assign roles—IT/SOC, HR, legal/privacy, finance, communications—and time-box decisions. Practice how to revoke sessions, reset credentials, preserve evidence, and communicate with empathy.

Document a communications plan. Internal: a short, clear note from leadership normalizing fast reporting and pointing to support resources. External: pre-approved language acknowledging investigation status without oversharing. Media and customer statements should be honest, calm, and specific on protective steps taken.

Map Law 25 obligations in Québec. Define what “serious injury” could mean for your data, who makes that determination, how you’ll notify the CAI and affected individuals, and who maintains the incident register. Train the decision-makers on this threshold so you don’t debate it for the first time under pressure.

Finally, support the human aftermath. Provide access to an employee assistance program if needed. Recognize that embarrassment is real and compassion accelerates cooperation. When staff trust that leadership will protect them, they report earlier—and early reporting is the single biggest factor in keeping an incident small.

Why Fusion Cyber

Fusion Cyber exists to give Canadian SMBs and co-managed enterprises enterprise-grade protection at a size and price that fits. Founded in Montréal and operating since 1985 (incorporated 2004), we bring certified expertise—CEH, PNPT, OSCP, CISSP, CISA—and work within MITRE ATT&CK and the Cyber Kill Chain so your defences map to how attackers actually operate. Our 24/7/365 SOC monitors and responds in minutes, not hours. We deliver MDR/EDR/XDR, threat hunting, SIEM, vulnerability management, penetration testing, DFIR, BCDR, cloud backups, GRC, awareness training, Zero Trust, DNS/web filtering, email security, DLP, dark web monitoring, MFA, and attack-surface management in an integrated program that prioritizes business outcomes.

What sets us apart is aligned incentives and measurable results. We back our work with a financially backed Cybersecurity Guarantee: fully onboarded clients who are breached receive full incident response, containment, and business recovery at our expense. That means our incentives match yours—prevent incidents, reduce dwell time, and minimize impact when something slips through. We focus on controls that remove attacker leverage: phishing-resistant MFA (passkeys), default-deny camera policies, session hygiene, and real-time detections for camera/screen-capture behaviours, token theft, and rogue OAuth consent. Then we stitch those controls together with people who can act—24/7—for decisive outcomes.

We also understand Canadian privacy expectations and Québec Law 25 obligations. We help you assess risk, decide on notifications, and maintain an incident register without slowing operations. Our playbooks include communications support because trust and clarity matter as much as telemetry when the pressure is on.

👉 Protect Your SMB Now – Talk to a Cybersecurity Expert

Featured links:

Security Awareness Training Guide

24/7 Managed Detection & Response

Québec Law 25 Guidance

Number-Matching MFA Setup

FAQ: